Tag: Your Government Doesn’t Love You

FBI Found Nothing Significant On Farook’s iPhone

After all that fuss over Farook’s iPhone the Federal Bureau of Investigations (FBI) finally managed to unlock it without conscripting Apple. So did the agency find information that will allow them to arrest the next terrorists before they can attack? Did the phone contain the secret to destroying the Islamic State? No and no. It turns out, as most people expected, there wasn’t anything significant on the phone:

A law enforcement source tells CBS News that so far nothing of real significance has been found on the San Bernardino terrorist’s iPhone, which was unlocked by the FBI last month without the help of Apple.

It was stressed that the FBI continues to analyze the information on the cellphone seized in the investigation, senior investigative producer Pat Milton reports.

All that hullabaloo over nothing. This is a reoccurring trend with the State. It makes a big stink about something to justify a demand for additional powers. Eventually it’s revealed that reason it needed the additional power was nothing more than fear mongering. Why anybody takes the State seriously is beyond me.

How The Government Protects Your Data

Although I oppose both public and private surveillance I especially loathe public surveillance. Any form of surveillance results in data about you being stored and oftentimes that data ends up leaking to unauthorized parties. When the data is leaked from a private entity’s database I at least have some recourse. If, for example, Google leaks my personal information to unauthorized parties I can choose not to use the service again. The State is another beast entirely.

When the State leaks your personal information your only recourse is to vote harder, which is the same as saying your only recourse is to shut up and take it. This complete lack of consequences for failing to implement proper security is why the State continues to ignore security:

FRANKFORT, Ky. (AP) — Federal investigators found significant cybersecurity weaknesses in the health insurance websites of California, Kentucky and Vermont that could enable hackers to get their hands on sensitive personal information about hundreds of thousands of people, The Associated Press has learned. And some of those flaws have yet to be fixed.

[…]

The GAO report examined the three states’ systems from October 2013 to March 2015 and released an abbreviated, public version of its findings last month without identifying the states. On Thursday, the GAO revealed the states’ names in response to a Freedom of Information request from the AP.

According to the GAO, one state did not encrypt passwords, potentially making it easy for hackers to gain access to individual accounts. One state did not properly use a filter to block hostile attempts to visit the website. And one state did not use the proper encryption on its servers, making it easier for hackers to get in. The report did not say which state had what problem.

Today encrypting passwords is something even beginning web developers understand is necessary (even if they often fail to property encrypt passwords). Most content management systems do this by default and most web development frameworks do this if you use their builtin user management features. The fact a state paid developers to implement their health insurance exchange and didn’t require encrypted passwords is ridiculous.

Filtering hostile attempts to visit websites is a very subjective statement. What constitutes a hostile attempt to visit a website? Some websites try to block all Tor users under the assumption that Tor has no legitimate uses, a viewpoint I strongly disagree with. Other websites utilize blacklists that contain IP addresses of supposedly hostile devices. These blacklists can be very hit or miss and often block legitimate devices. Without knowing what the Government Accountability Office (GOA) considered effective filtering I’ll refrain from commenting.

I’m also not entirely sure what GOA means by using property encryption on servers. Usually I’d assume it meant a lack of HTTP connections secured by TLS. But that doesn’t necessarily impact a malicious hackers ability to get into a web server. But it’s not uncommon for government websites to either not implement TLS or implement it improperly, which puts user data at risk.

But what happens next? If we were talking about websites operated by private entities I’d believe the next step would be fixing the security holes. Since the websites are operated by government entities though it’s anybody’s guess what will happen next. There will certainly be hearings where politicians will try to point the finger at somebody for these security failures but finger pointing doesn’t fix the problem and governments have a long history of never actually fixing problems.

FBI Claims Its Method Of Accessing Farook’s Phone Doesn’t Work On Newer iPhones

So far the Federal Bureau of Investigations (FBI) hasn’t given any specific details on how it was able to access the data on Farook’s phone. But agency’s director did divulge a bit of information regarding the scope of the method:

The FBI’s new method for unlocking iPhones won’t work on most models, FBI Director Comey said in a speech last night at Kenyon University. “It’s a bit of a technological corner case, because the world has moved on to sixes,” Comey said, describing the bug in response to a question. “This doesn’t work on sixes, doesn’t work on a 5s. So we have a tool that works on a narrow slice of phones.” He continued, “I can never be completely confident, but I’m pretty confident about that.” The exchange can be found at 52:30 in the video above.

Since he specifically mentioned the iPhone 5S, 6, and 6S it’s possible the Secure Enclave feature present in those phones thwarts the exploit. This does make sense assuming the FBI used a method to brute force the password. On the iPhone 5C the user password is combined with a hardware key to decrypt the phone’s storage. Farook used a four digit numerical password, which means there were only 10,000 possible passwords. With such a small pool of possible passwords it would have been trivial to bruce force the correct one. What stood in the way were two iOS security features. The first is a delay between entering passwords that increases with each incorrect password. The second is a feature that erases the decryption keys — which effectively renders all data stored on the phone useless — after 10 incorrect passwords have been entered.

On the 5C these features are implemented entirely in software. If an attacker can bypass the software and combine passwords with the hardware key they can try as many passwords they want without any artificial delay and prevent the decryption keys from being erased. On the iPhone 5S, 6, and 6S the Secure Enclave coprocessor handles all cryptographic operations, including enforcing a delay between incorrect passwords. Although this is entirely speculation, I’m guessing the FBI found a way to bypass the software security features on Farook’s phone and the method wouldn’t work on any device utilizing Secure Enclave.

Even though Secure Enclave makes four digit numerical passwords safer they’re still dependent on outside security measures to protect against bruce force attacks. I encourage everybody to set a complex password on their phone. On iPhones equipped with Touch ID this is a simple matter to do since you only have to enter your password after rebooting the phone or after not unlocking your phone for 48 hours. Besides those cases you can use your fingerprint to unlock the phone (just make sure you reboot the phone, which you can do at anytime by holding the power and home buttons down for a few seconds, if you interact with law enforcement so they can’t force you to unlock the phone with your fingerprint). With a strong password brute force attacks become unfeasible even if the software or hardware security enhancements are bypassed.

The FBI Heroically Saves Us Yet Again From A Criminal It Created

Just one week after heroically saving us from a terrorist it created, the Federal Bureau of Investigations (FBI) has saved us from yet another criminal it created:

US authorities depict Franey as an unstable anti-government militant who deserved a closer look to see how far he might go. One of his neighbors told FBI agents that Franey said he hated the US military for not allowing him “to leave the Army” after he enlisted, and that he railed at the system for “taking away his kids.” As US Attorney Hayes put it, the Justice Department was obligated to “pursue all available leads to ensure the public was protected from any possible harm.”

But while it seems Franey talked often and enthusiastically about plotting a terrorist attack, there’s little indication he ever had any intention of following through with his threats until the FBI’s undercover agent came along. After befriending Franey, the agent took him on an eight-month ride — sometimes literally, including a road trip along the West Coast — while recording their conversations, doling out cash, furnishing him with guns, and then busting him for illegal possession of the weapons.

I once heard that the FBI used to arrest criminals it didn’t create. Does it still do that once in a while? Is that still a thing?

What happened here is the same thing that always happens. The FBI identified somebody, likely of lukewarm intelligence, who it thought was capable of being radicalized into a threat. It then assigned an agent to befriend the individual and slowly radicalize him. After radicalizing him the agent then provided him a means to perpetuate an attack. The operation then closed with the agent arresting the guy for basically being a radicalized individual in possession of a means to commit an attack.

In this case the FBI’s prey was arrested for illegally possessing weapons. Weapons which were given to him by the FBI.

These operations rely on taking a hypothetical scenario and making it a reality. The individuals they target are those the agency deems capable of being radicalized. If left to their own devices the individuals would almost certainly remain harmless. Most of these individuals are socially isolated, aren’t the brightest bulbs in the box, and are seldom go-getters. Since they’re socially isolated they’re usually desperate for friendship, which makes them vulnerable to FBI agents. Their lukewarm intelligence also makes them more susceptible to being influenced. When you combine social isolation with lukewarm intelligence you have a recipe for an individual who can be easily manipulated to do bad things. But even if they’re manipulated into doing something bad they seldom have the motivation or means. So the FBI prods these individuals into performing an attack and provides them a means with which to pull it off. Finally, with all the pieces in place the FBI arrests its creation.

What the FBI is doing is preying on vulnerable individuals, convincing them to do something bad, and then providing the means to do that bad thing. If the FBI didn’t involve itself these people would normally just fade into the annals of history. The FBI isn’t protecting us from anything with these operations. It’s creating a bad situation and then claiming to save everybody from it.

Religious Freedom*

Mississippi recently passed House Bill 1523 [PDF] into law. The bill was described by its proponents as legislation to protect religious freedom by prohibiting the government from discriminating against actions performed due to strong religious convictions. What the proponents of the bill forgot to mention was the giant asterisk that noted the restrictions. House Bill 1523 only protects your religious freedom as long as you believe the right things:

SECTION 2. The sincerely held religious beliefs or moral convictions protected by this act are the belief or conviction that:

(a) Marriage is or should be recognized as the union of one man and one woman;

(b) Sexual relations are properly reserved to such a marriage; and

(c) Male (man) or female (woman) refer to an individual’s immutable biological sex as objectively determined by anatomy and genetics at time of birth.

If your religious beliefs our outside of those three criteria this bill does not protect them. For example, members of the Church of the Phenomenological Agorist hold a strong moral conviction that participation in the black market is not only righteous but a holy duty. Even though black market participation is a strongly held moral conviction the government will still ruthlessly pursue discriminatory action against them.

Do your religious beliefs acknowledge polygamy? If so those beliefs actually directly go against this bill since it only protects beliefs that acknowledge marriage as a union of one man and one woman. Don’t like it? Tough shit. You should have chosen a governmentally protected religion.

So long as you believe one of the three approved beliefs the government of Mississippi will not prosecute you for refusing to perform a wedding or bake a cake nor will it prosecute you for enforcing bathroom assignments. It will not restrain itself from prosecuting you for, for example, refusing service to police officers, something the Church of the Phenomenological Agorist strongly encourages, or people who discriminate against polygamous families.

This bill isn’t about religious freedom, it’s about religious discrimination. It creates two tiers for religions: those that subscribe to the beliefs specifically noted in the bill and those that do not. Members of religions in the first tier receive special treatment from the Mississippi government. Members of all other religions have to suffer the full brunt of the government’s boot stomping down on their faces.

A New Hero Arises

Setting aside my general hatred of intellectual property, I want to discuss an especially heinous abuse of intellectual property laws. A lot of research done in the United States is funded by tax dollars. We’re told this is necessary because the research wouldn’t be done if it was left to the market and that we shouldn’t complain because the research benefits all of us. But the research fueled by tax funding seldom benefits all of us because the findings are locked away being the iron curtain of publisher paywalls. We may have been forced to fund it but we don’t get to read it unless we’re willing to pay even more to get a copy of the research papers.

Aaron Swartz fought against this and was ruthlessly pursued by the State for his actions. Now that he has left us a new hero has risen to the call. Alexandra Elbakyan is the creator and operator of Sci-Hub, a website created to distribute research papers currently secured behind paywalls:

But suddenly in 2016, the tale has new life. The Washington Post decries it as academic research’s Napster moment, and it all stems from a 27-year-old bioengineer turned Web programmer from Kazakhstan (who’s living in Russia). Just as Swartz did, this hacker is freeing tens of millions of research articles from paywalls, metaphorically hoisting a middle finger to the academic publishing industry, which, by the way, has again reacted with labels like “hacker” and “criminal.”

Meet Alexandra Elbakyan, the developer of Sci-Hub, a Pirate Bay-like site for the science nerd. It’s a portal that offers free and searchable access “to most publishers, especially well-known ones.” Search for it, download, and you’re done. It’s that easy.

“The more known the publisher is, the more likely Sci-Hub will work,” she told Ars via e-mail. A message to her site’s users says it all: “SCI-HUB…to remove all barriers in the way of science.”

I fear many libertarians will be quick to dismiss Alexandra because she espouses anti-capitalist ideals. But it’s important to focus her actions, which are very libertarian indeed. She is basically playing the role of Robin Hood by liberating stolen wealth from the State and returning it to the people. The money has already been spent so it cannot be retrieved but what it bought, research, is still there and should be returned to the people as compensation for the original theft. That is all freely releasing tax funded research is and for her part Alexandra should be treated as the hero she is.

But They’ll Keep A Master Key Safe

We’re constantly being told by the State and its worshippers that cryptographic backdoors are necessary for the safety and security of all. The path to security Nirvana, we’re told, lies in mandating cryptographic backdoors in all products that can be unlocked by the State’s master key. This path is dangerous and idiotic on two fronts. First, if the master key is compromised every system implementing the backdoor is also compromised. Second, the State can’t even detect when its networks are compromised so there’s no reason to believe it can keep a master key safe:

The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard.

The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years.

[…]

This group of “persistent cyber criminals” is especially persistent. The group is none other than the “APT6” hacking group, according to sources within the antivirus and threat intelligence industry. There isn’t much public literature about the group, other than a couple of old reports, but APT6, which stand for Advanced Persistent Threat 6, is a codename given to a group believed to be working for the Chinese government.

Even if somebody believes the United States government is a legitimate entity that can be trusted with a cryptographic master key, they probably don’t believe the likes of Iran, China, and North Korea are as well. But those are the governments that would likely get the master key and enjoy exploiting it for years before anybody became the wiser.

And the impact of such a master key being leaked, even if you mistakenly believe the United States government can be trusted to only use it for good, is hard to overstate. Assuming a law was passed mandating all devices manufactured or sold in the United States had to implement the backdoor, a leak of the master key would effective render every American device unencrypted.

So the real question is, do you trust a government that cannot detect threats within its network for years on end to secure a master key that can unlock all of your sensitive information? Only a fool would answer yes.

Do As We Say, Not As We Do

A lot of people are talking about the Panama Papers. This treasure trove of shell corporations created by utilizing the services of Mossack Fonseca measures in at over 2.5 terabytes in size and it seems to contain dirt on almost every politician. The prime minister of Iceland just resigned due to public outrage stirred by his name appearing in the papers and others are likely to follow.

But the real scandal isn’t that these politicians are utilizing tax havens to protect their wealth. The real scandal is that these politicians continue to hunt those who utilize tax havens while making use of such wealth preserving institutions themselves.

There is nothing immoral about trying to conceal your wealth from thieves. In fact doing so is meritorious. In the case of tax thieves concealing wealth keeps resources out of the hands of the most violent gangs in the world. The less resources the State has the less effective it is as subjugating its victims. We shouldn’t decry anybody for protecting their wealth from the State.

What we should decry are thieves and these politicians are not only thieves but their dishonest thieves. In public these politicians espouse the merits of taxes and viciously criticize tax evaders. In private they are whisking their wealth away to the exact same places using the exact same tactics as private tax evaders. I believe the only fair thing to do in this case is treat these politicians the exact same way they treat private tax evaders. Make examples of them in the media. Hold a show trial. Then lock them in a cage for the rest of their lives. And do this not because they’re tax evaders but because they’ve gleefully inflicted such harm on tax evaders themselves.

An Encrypted Society Is A Polite Society

Playing off of my post from earlier today, I feel that it’s time to update Heinlein’s famous phrase. Not only is an armed society a polite society but an encrypted society is a polite society.

This article in Vice discusses the importance of encryption to the Lesbian, Gay, Bisexual, and Transgender (LGBT) communities but it’s equally applicable to any oppressed segment of a society:

Despite advances over the last few decades, LGBTQ people, particularly transgender folks and people of color, face alarming rates of targeted violence, housing and job discrimination, school and workplace bullying, and mistreatment by law enforcement. In the majority of US states, for example, you can still be legally fired just for being gay.

So while anyone would be terrified about the thought of their phone in the hands of an abusive authority figure or a jealous ex-lover, the potential consequences of a data breach for many LGBTQ people could be far more severe.

[…]

LGBTQ people around the world depend on encryption every day to stay alive and to protect themselves from violence and discrimination, relying on the basic security features of their phones to prevent online bullies, stalkers, and others from prying into their personal lives and using their sexuality or gender identity against them.

In areas where being openly queer is dangerous, queer and trans people would be forced into near complete isolation without the ability to connect safely through apps, online forums, and other venues that are only kept safe and private by encryption technology.

These situations are not just theoretical. Terrifying real life examples abound, like the teacher who was targeted by for being gay, and later fired, after his Dropbox account was hacked and a sex video was posted on his school’s website. Or the time a Russian gay dating app was breached, likely by the government, and tens of thousands of users received a message threatening them with arrest under the country’s anti-gay “propaganda” laws.

Systematic oppression requires information. In order to oppress a segment of the population an oppressor must be able to identify members of that segment. A good, albeit terrifying, example of this fact is Nazi Germany. The Nazis actually made heavy use of IBM counting machines to identify and track individuals it declared undesirable.

Today pervasive surveillance is used by state and non-state oppressors to identify those they wish to oppress. Pervasive surveillance is made possible by a the lack of the use of effective encryption. Encryption allows individuals to maintain the integrity and confidentiality of information and can be used to anonymize information as well.

For example, without encryption it’s trivial for the State to identify transgender individuals. A simple unencrypted text message, e-mail, or Facebook message containing information that identifies an individual a transgender can either be read by an automated surveillance system or acquired through a court order. Once identified an agent or agents can be tasked with keeping tabs on that individual and wait for them to perform an act that justified law enforcement involvement. Say, for example, violating North Carolina’s idiotic bathroom law. After the violation occurs the law enforcement agents can be sent in to kidnap the individual so they can be made an example of, which would serve to send a message of terror to other transgender individuals.

When data is properly encrypted the effectiveness of surveillance is greatly diminished. That prevents oppressors from identifying targets, which prevents the oppressors from initiating interactions entirely. Manners are good when one may have to back up his acts with his life. Manners are better when one doesn’t have to enter into conflict in the first place.

Another Hero Becomes A Political Prisoner Of Uncle Sam

Anybody who has been paying attention to the depravities of the State won’t be surprised by this post. It is a post about another hero who has been turned into a political prisoner by the State. This hero worked to reduce the violence in the drug market by keeping both buyers and sellers anonymous. He did this in spite of the fact that the last person who followed this path ended up imprisoned for life. Unfortunately the fate of his predecessor likely convinced this hero to plead guilty and suffer a reduced sentence rather than be railroaded by the State’s courts:

Last week, a federal judge in Washington formally accepted the guilty plea of Brian Farrell, the 28-year-old who had been accused in 2015 of being the right-hand man to the head of Silk Road 2.0, the copycat website inspired by the infamous Tor-enabled drug website.

In a 2015 press release, the Department of Justice said that SR2 had generated approximately $8 million per month since it began in November 2013.

While the State was busy sending Special Weapons And Tactics (SWAT) teams to people’s houses at oh dark thirty to kick in their doors, shoot their dogs, and kidnap them because they were in possession of a plant, Brian Farrell was helping run a service that kept those psychotic law enforcers away from both buyers and sellers. After all, neither drug buyers or sellers actually commit actual crimes. There is no victim in a mutually agreed upon transaction.

Due to the illegal nature of the drug trade violence often does creep into the mix though. Most of this violence occurs between competing dealers but sometimes it occurs when disagreements arise between buyers and sellers. Since the State has declared the drug trade illegal, claims a monopoly on dispute resolution services, and ruthlessly pursues anybody who creates a dispute resolution service for drug market actors there are few places for a wronged seller or buyer to go. Silk Road and Silk Road 2 acted as both a marketplace and a dispute resolution service. Through escrow, mediation, and user reviews both Silk Roads allowed wronged parties to have their disputes resolved peacefully. In fact there was no way for wronged parties to resort to violence since all parties were anonymous.

Online drug marketplaces are considered illegal by the State. But the vast majority of crimes perpetrated in relation to these marketplaces are those committed by the State as it uses its capacity for violence to terrorize and punish anybody involved in the drug trade.

Brian Farrell, like Ross Ulbricht before him, should be remembered as a hero who tried to stem the tide of government violence.